[exim] Re: Debug TLS/DANE problems

Góra strony
Delete this message
Reply to this message
Autor: Wolfgang
Data:  
Dla: exim-users
Temat: [exim] Re: Debug TLS/DANE problems

Hello Chris,

Thanks for your hint, but that does not work. I have already used openssl s_client to extract the
whole certification chain, and I can confirm, that the DANE RR is valid.

The DANE RR signs the key of the letsencrypt intermediate, which signs the cert, the MX uses.
this last cert has a cname, which is different to the MX host, but one of the SANs embedded in this
certificate matches the MX hostname.
This shows how that ties together:

            +--------------+
            |intermediate  |
            |              |
            |key: 11111    |<--- TLSA RR signs this key (checked and valid)
            |              |
            +--------------+
                    |
                    | <-- signs the server cert, valid by signature and timeframe
                    |
                    V
          +------------------+
          | end certificate  |
          | key:2222         |
          | cname: a.test.xy |
          |                  |
          | SANs:            |
          |  b.test.xy       |
          |  c.test.xy       |
          |  d.test.xy       |
          |  e.test.xy       |
          |  f.test.xy       |
          |  g.test.xy       |
          |  h.test.xy       |
          | MX.test.xy       |<----- this is the MX host name
          +------------------+


So I need to dig into the verification exim is doing, to compare that to my findings.


--------------------
in reply to:

> My goal is getting informations, which of the presented certs during
> the TLS handshake exim takes into account for verifing the DANE RR.
> Furthermore if exim compares hostname against CN or one of the
> additional SANs embedded in the cert.


You may want to try using an external tool (not Exim) to verify and
inspect the TLS certificate chain presented by the external mail server.
My favourite tool for this is 'certigo':
        https://github.com/square/certigo


A typical usage for this would be:
        certigo connect -v -t smtp --identity "your.host.name" remote.mail.server:smtp


Then you can see if certigo verifies the certificate chain and what key
usages the various TLS certificates involved specify (typically 'Server
Auth' and 'Client Auth' for the server's direct TLS certificate).

        - cks



--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/